From davidreign@hotmail.com Tue Jun 4 09:37:20 2002
From: david evlis reign
X-Originating-IP: [139.134.57.153]
To: bugtraq@securityfocus.com, vuln-dev@securityfocus.com,
vulnwatch@vulnwatch.org
Date: Tue, 04 Jun 2002 02:25:18 +0000
Subject: [VulnWatch] [DER #11] - Remotey exploitable fmt string bug in squid
-------------------------------------------
- DAVID EVLIS REIGN SECURITY ADVISORY #11 -
-------------------------------------------
- WHAT -
Remotely Exploitable Format string Hole
- WHO -
MSNT squid auth for NtDomains
- DETAILS ON PRODUCT -
This is an authentication module for the Squid proxy server to authenticate
users on an NT domain
It originates from the Samba and SMB packages by Andrew Tridgell and Richard
Sharpe. This version
is sourced from the Pike authentication module by William Welliver
(hwellive@intersil.com).
Usage is simple. It accepts a username and password on standard input and
will return OK if the
username/password is valid for the domain, or ERR if there was some problem.
Check syslog messages for reported problems.
Msntauth is released under the GNU General Public License and is available
from
http://stellarx.tripod.com.
- DETAILS OF EXPLOIT -
In the allowuser code of MSNT there is (cough *many buffer overflows* cough)
a remotely
exploitable syslog() call which may under certain circumstances lead to
remote compromisation
of the box running it (windows [1398|me|2000|xp].[1]).
code portions taken from the exploitable bit of code...
sscanf(ConnectingUser, " %s ", CUBuf);